New York Department of Financial Services Imposes Penalty and Consent Order for Cybersecurity Violations

The New York Department of Financial Services ("NYDFS") fined a mortgage bank $1.5 million for violations of New York's Cybersecurity Regulation, including failure to report a past cyber incident.

On March 3, 2021, the NYDFS announced it had entered into a consent order with a mortgage bank for violating New York's first-in-the-nation Cybersecurity Regulation, which became effective in March 2019. The settlement results from the agency's findings during a routine compliance examination that the mortgage bank had failed to investigate adequately a cyber incident that exposed private data, failed to report the incident under state data breach notification laws and the NYDFS Cybersecurity Regulation, and failed to conduct a comprehensive cybersecurity risk assessment—despite a certification of compliance with the Cybersecurity Regulation provided by the Chief Information Security Officer.

The examination revealed that the bank was aware of a successful phishing attack on an employee's email account that contained sensitive personal data of loan applicants. The NYDFS considered the bank's investigation into the incident to be inadequate because the bank did not review the contents of the email account to identify affected personal information and did not notify affected consumers and state agencies of the incident, as required under state data breach notification laws. The NYDFS also concluded that the bank had failed to comply with the NYDFS Cybersecurity Regulation, which required the bank to notify NYDFS within 72 hours of determining that the incident required notice to another government agency. As part of the settlement, the bank agreed to pay a $1.5 million penalty and to comply with all provisions of the Cybersecurity Regulation.

The settlement demonstrates that the NYDFS is devoting resources to examining financial institutions for compliance with the Cybersecurity Regulation. To diminish the risk of an enforcement action, financial institutions should review their policies and test their implementing practices governing cyber, information and data security, privacy, business continuity, operations and risk management, and technology. In particular, to facilitate timely reporting of cybersecurity incidents, financial institutions should assess the sufficiency of their cyber incident response plans and reporting protocols and remediate issues before NYDFS conducts an examination.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.